DevOps: Create admin user for standalone tomcat webapp

bland999 · June 21, 2021, 12:14pm

Hello,
Recently, I downloaded camunda-webapp-tomcat-standalone-7.15.0.war and deployed it into a tomcat installation. When browsing to http://server:8080/camunda, I am redirected to

http://server:8080/camunda/app/admin/default/setup/#/setup

where I am prompted to create the initial admin user. At my work, we do not want to use LDAP yet.

The question is: how can I configure the war file to include an administrator user with a password (similar to adding database connection information in WEB-INF/applicationContext.xml)?

We need to have a fully automated (via ansible) mechanism to provision Camunda onto the existing tomcat installation. This is why we have this requirement.

What is the best practice for bootstrapping an internal database-based admin user into Camunda??

epollum · June 21, 2021, 6:07pm

Hello @bland999,

The admin user information is stored in your database, and once you initialize the user via the setup screen, you will not have to do so again for any engine connecting to your database.

Are you able to complete the setup process for the database via the UI?
Otherwise you could input the admin user manually via SQL statements in the database.

Best,
Emma

bland999 · June 21, 2021, 9:39pm

Thank you very much for your reply. The use case we have at work is to automate the installation process completely, in order to deploy Camunda to multiple environments having standalone Tomcat servers.

If you can kindly point me to documentation that explains the SQL statements to run, that would be great. If you can supply the statements here, that is even better and I am sure would help others.

Thank you in advance for your time and efforts.

epollum · June 21, 2021, 10:01pm

Hello again @bland999,

I actually think this is the documentation you’ll want to use rather than an SQL query – Authorization Service | docs.camunda.org

This should allow you to specify an admin user and group.
Then you can utilize the REST API to create the users. Create user | docs.camunda.org

Would that be a viable solution for you?

bland999 · June 21, 2021, 10:38pm

This is definitely a viable solution, and I actually did read that documentation previously. There is only one puzzling detail that I don’t understand: even if I enable the AdministratorAuthorizationPlugin, it is designed to grant administrator privileges to a user, i.e. the “admin” user as in the example in the link.

The missing piece is what is the password of that user? Even though the user has admin access, where does one specify the user’s password?

epollum · June 22, 2021, 12:16am

You can use the Create User endpoint to create the admin user with the desired password:
https://docs.camunda.org/manual/latest/reference/rest/user/post-create/

StephenOTT · June 22, 2021, 1:53am

Here is a older plug-in you could look to base some work from: Administrative User Creation when using Docker image and removal of camunda-invoice - New Plugin

bland999 · June 29, 2021, 4:09pm

Well, after several days of puzzling over this, I have it working. The URL’s supplied in this thread are not correct (but I sincerely appreciate you trying to help… though it cost some long evenings). The proper URL for Camunda 7.15 is /camunda/api/admin/setup/default/user/create. The /api/admin/setup resources are for one-time, bootstrap purposes only, exactly what I needed.

For anyone in the future looking for an ansible solution, the following is it, and if you know ansible, it is easy to follow.

- name: Ensure there is a Camunda workspace
  file:
    path: /root/workspace/camunda
    state: directory
    owner: root
    group: root
    mode: '0755'
  when:
    - ansible_host == camunda_server_bootstrap_server

- name: Upload the administrative user data file
  template:
    src: camunda_admin_user.json.j2
    dest: /root/workspace/camunda/camunda_admin_user.json
    owner: root
    group: root
    mode: '0600'
  when:
    - ansible_host == camunda_server_bootstrap_server

- name: Contact Camunda to get a session and XSRF token
  uri:
    url: http://{{camunda_server_bootstrap_server}}:{{tomcat_server_connector_port}}/camunda/
    method: GET
  when:
    - ansible_host == camunda_server_bootstrap_server
  register: output_camunda_get

- debug: var=output_camunda_get
  when:
    - ansible_host == camunda_server_bootstrap_server

# This can only succeed ONCE. Running it twice or more will give the error "Setup action not available".
# https://jar-download.com/artifacts/org.camunda.bpm.webapp/camunda-webapp/7.7.0-alpha1/source-code/org/camunda/bpm/admin/impl/web/SetupResource.java
- name: Create the administrative user
  uri:
    url: http://{{camunda_server_bootstrap_server}}:{{tomcat_server_connector_port}}/camunda/api/admin/setup/default/user/create
    method: POST
    headers:
      Cookie: "{{output_camunda_get.cookies_string}}"
      Content-Type: application/json
      X-XSRF-TOKEN: "{{output_camunda_get.cookies['XSRF-TOKEN']}}"
    remote_src: true
    src: /root/workspace/camunda/camunda_admin_user.json
    status_code: [200, 204]
  when:
    - ansible_host == camunda_server_bootstrap_server
  register: output_camunda_post

- debug: var=output_camunda_post
  when:
    - ansible_host == camunda_server_bootstrap_server

The template json file is as follows:

{"profile": {"id": "{{camunda_server_admin_user_id}}","firstName":"Joe","lastName":"Administrator", "email":"noreply@example.com"}, "credentials": {"password":"{{camunda_server_admin_user_password}}"} }

system · January 30, 2024, 1:11pm